Bug#931728: variety: privacy breach in variety

[James Lu]

Control: forwarded -1 https://github.com/varietywalls/variety/issues/198

Hi Damyan,

I've copied this upstream, thanks for spotting this.

Best,
James

On 2019-07-09 9:43 a.m., Damyan Ivanov wrote:
> Package: variety
> Version: 0.7.1-2
> Severity: important
> Tags: upstream
> 
> Hi,
> 
> Thank you for packaging variety. It is a very nice program and does its work 
> smoothly.
> 
> Sadly, it contains code which attempts to load "options" from a remove server 
> without user's consent. See [1] and [2].
> 
> [1] 
> https://sources.debian.org/src/variety/0.7.1-2/variety/VarietyWindow.py/?hl=81#L609
> [2] 
> https://sources.debian.org/src/variety/0.7.1-2/variety/VarietyWindow.py/?hl=81#L932
> 
> I'll prepare a merge request that removes the start of the background thread 
> which does the fetch. Variety works just fine without it.
> 
> 
> Thanks for considering,
>     Damyan
> 
> -- System Information:
> Debian Release: 10.0
>   APT prefers unstable-debug
>   APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'stable'), 
> (1, 'experimental')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
> Kernel taint flags: TAINT_OOT_MODULE
> Locale: LANG=bg_BG.UTF-8, LC_CTYPE=bg_BG.UTF-8 (charmap=UTF-8), 
> LANGUAGE=bg_BG.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
> 
> Versions of packages variety depends on:
> ii  gir1.2-gdkpixbuf-2.0             2.38.1+dfsg-1
> ii  gir1.2-gexiv2-0.10               0.10.9-1
> ii  gir1.2-glib-2.0                  1.58.3-2
> ii  gir1.2-gtk-3.0                   3.24.5-1
> ii  gir1.2-notify-0.7                0.7.7-4
> ii  gir1.2-pango-1.0                 1.42.4-6
> ii  imagemagick                      8:6.9.10.23+dfsg-2.1
> ii  imagemagick-6.q16 [imagemagick]  8:6.9.10.23+dfsg-2.1
> ii  python3                          3.7.3-1
> ii  python3-bs4                      4.7.1-1
> ii  python3-cairo                    1.16.2-1+b1
> ii  python3-configobj                5.0.6-3
> ii  python3-dbus                     1.2.8-3
> ii  python3-gi                       3.30.4-1
> ii  python3-gi-cairo                 3.30.4-1
> ii  python3-lxml                     4.3.3-2
> ii  python3-pil                      5.4.1-2
> ii  python3-pkg-resources            41.0.1-1
> ii  python3-requests                 2.21.0-1
> 
> Versions of packages variety recommends:
> ii  gir1.2-appindicator3-0.1  0.4.92-7
> ii  python3-httplib2          0.11.3-2
> 
> Versions of packages variety suggests:
> pn  feh | nitrogen                      <none>
> ii  gnome-shell-extension-appindicator  22-1
> 
> -- no debconf information
> 

signature.asc
Description: OpenPGP digital signature